Mailinglist Archive: opensuse-buildservice (45 mails)

< Previous Next >
Re: [opensuse-buildservice] [obs-signd] need advice about gpg key generation
On Tue, Sep 09, 2014 at 01:20:43PM +0200, Valentin Gologuzov wrote:
I'm looking for an advice with key generation for obs-signd. We would run
it independently from OBS. ( we want to utilize obs-signd
for package signing at Copr - http://fedorahosted.org/copr).

If I understand correctly, OBS manages user key outsides from obs-signd,
and provides private[public] keys directly to /bin/sign. At our service we
want to minimize
key manamement, keep secrets on secured machine (where singd runs) and
avoid sending secrets through network.

Sounds reasonable.

Here is our (future) setup:

host-0: secure machine where key-pairs is stored in /root/.gnupg/
it runs:
- [A] perl signd
- [B] small httpd service which generates new key-pairs into the keyring
and write generated passphrases to /root/.phrases/

host-1: backend where builds occurs and result rpms are signed
by invocation of /bin/sign [C]

[C] is configured by /etc/sign.conf to access [A] at host-0

When user `foo` builds first package, service [B] will be invocked and
passphrase will be added to /root/.phrases/ and keys will be added to
keyring, so that [A] can sign packages for user `foo` without recieving
keys through network.

[C] will be used:
* To sign rpm
[@host-1]:# sign -u foo@xxxxxxxxxxx target.rpm
* To obtain public key for user:
[@host-1]:# sign -u foo@xxxxxxxxxxx -p


Please, tell if this design makes sense or how should it be changed.

Makes sense. We do it a bit different in OBS, though. We don't store
the users' secret keys on our sign server, but instead encrypt them
with a dedicated OBS key. The advantage is that the encrypted private
keys can be stored and backuped like regular data, as you need
access to the secret OBS key to decrypt them (which is only stored
on the sign server).
The disadvantage is that an intruder can use any stored key to sign
rpms (but he can't copy the private key away and do more damage).

So for build.opensuse.org we actually have two security levels. For
most things we store the encrypted private key on the host, but
there are a couple of keys like the opensuse key that are only
stored in the sign server (and were created manually).

Example:(copr@xxxxxxxxxxx is the dedicated key that needs to exist
on the sign host)

* create a new key:
[@host-1]:# sign -u copr@xxxxxxxxxxx -P foo.priv -g rsa@2048 800 foo
foo@xxxxxxxxxxx > foo.pub
* sign rpm:
[@host-1]:# sign -u copr@xxxxxxxxxxx -P foo.priv target.rpm

Additional question:
Do we really need to protect keys with passhrases on [host-0]?
Private keys should never leave keyring at that machine.

I don't think you need passphrases. They don't help much if they
can be read from the filesystem anyway...

Cheers,
Michael.

--
Michael Schroeder mls@xxxxxxx
SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg
main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);}
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References